F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Asia, Australia, and Europe. The attack landscape in the U.S. was different from the rest of the regions in that the most malicious traffic came from inside the U.S., making it harder to defend against.
- The top three sources of attack traffic targeting U.S. systems came from IP addresses assigned to Russia, launching a combined 1.885 million normalized count of attack traffic to the region.
- Rounding out the top 10 IP addresses sending malicious traffic to systems in the U.S. were those assigned to Moldova, France, Germany, and the U.S. These 10 IP addresses launched RFB/VNC port 5900 attacks (hitting all regions of the world).
- U.S. systems saw significant malicious traffic directed toward them that originated from inside the country. Approximately 16.1% of all normalized attack traffic (when looking at the top 20 source traffic countries) originated inside the U.S. and targeted American systems. This tactic makes it difficult for enterprises to filter malicious traffic without disrupting use by legitimate users.
- The U.S. saw many application services and remote access ports and services targeted by malicious traffic from August 1 through October 31, 2019. Notably, the U.S. was the only region of the world to see port 45 targeted by attack traffic during this time period.
- The top ports targeted in the U.S. followed similar patterns to the rest of the world, with VNC port 5900 (being attacked in regions all over the world) being the top attacked port. SMB port 445 follows, along with SSH port 22, HTTP port 80, and HTTPS port 443.
Note: “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned to the U.S. launched the most malicious traffic against systems in the U.S. from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:
- South Korea
- Republic of Moldova
All of the top 10 were also the top malicious source traffic countries globally.
The majority of malicious traffic launched against U.S. systems came from IP addresses assigned in the U.S. (see Figure 2). These IP addresses accounted for 16.1% of all attack traffic directed towards U.S. systems. This kind of traffic can be more difficult for enterprises to filter since businesses typically want everyone in their country to be able to access them. Twenty IP addresses assigned in the U.S. were in the top attacking IP addresses list.
IP addresses assigned in Russia followed closely, accounting for 15.9% of all malicious traffic directed towards U.S. systems. Both the U.S. and Russia are on the global list of top source traffic countries. IP addresses assigned in both of these countries were seen participating in the RFB/VNC port 5900 port scanning and credential stuffing, targeting all regions of the world.
No countries were seen uniquely targeting the U.S. In fact, of the top 20 attacking countries, all were seen targeting other regions of the world. The most unique attacks came from IP addresses assigned in Ireland, which targeted three regions: Europe, the U.S., and Canada.
Europe, the U.S., and Canada have many similarities in their threat landscapes over this time period, especially when it comes to protocols that were targeted. The U.S. and Canada had a particularly similar geographic attacker landscape. They shared 95% of the same top source traffic countries. They differed in that IP addresses assigned to Hong Kong rank as a top source country targeting the U.S. but not Canada. No IP addresses assigned to Hong Kong were in the top attacking IP addresses list, and only one IP address each from a handful of countries was seen in the top attacking source countries list. In the top attacking IP addresses list, one IP address assigned to Ireland launched a normalized 121,000 attacks. This means attacks coming from IP addresses assigned in Ireland were more distributed, having been launched from many IP addresses at a low number of attacks per IP address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore typically is attributed to more sophisticated threat actors.